On Mon, 2020-07-13 at 19:13 +0000, Sergiy Genyuk via FreeIPA-users
wrote:
Radius server is DUO so when in FreeIPA radius server set it sends
Access-Request to the DUO Radius server DUO check password against AD and then push Accept
message to the user mobile app... then returns Access-Accept message back to FreeIPA.
Of cause it takes some time so I have setup timeout in Radius section in the FreeIPA
config but that's does not work. With any settings default timeout is 5 seconds :-(
Now I am looking for help as my users not so happy with 5 sec timeout :-)
FreeIPA's OTP support is not compatible with challenge response
mechanism that require user interaction like DUO.
The timeout is backed into too many layers.
I think DUO tokens can be configured to provide a OTP number in the app
directly before starting the authentication and w/o requiring
additional user confirmation, if this is an option you should use it.
IIRC,
I may be wrong, I'll let others correct me if that is the case.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc